---
layout: docs
page_title: Storing the ACL Replication Token in Vault
description: >-
  Configuring the Consul Helm chart to use an ACL replication token stored in Vault.
---

# Storing the ACL Replication Token in Vault

This topic describes how to configure the Consul Helm chart to use an ACL replication token stored in Vault.
## Overview
To use an ACL replication token stored in Vault, follow the steps outlined in the [Data Integration](/consul/docs/k8s/deployment-configurations/vault/data-integration) section.

Complete the following steps once:
  1. Store the secret in Vault.
  1. Create a Vault policy that authorizes the desired level of access to the secret.

Repeat the following steps for each datacenter in the cluster:
  1. Create Vault Kubernetes auth roles that link the policy to each Consul on Kubernetes service account that requires access.
  1. Update the Consul on Kubernetes helm chart.

## Prerequisites
Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have:
1. Read and completed the steps in the [Systems Integration](/consul/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault).
2. Read the [Data Integration Overview](/consul/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault).

## Store the Secret in Vault

First, generate and store the ACL replication token in Vault. You will only need to perform this action once:

```shell-session
$ vault kv put consul-kv/secret/replication-token token="$(uuidgen | tr '[:upper:]' '[:lower:]')"
```

## Create Vault policy

Next, you will need to create a policy that allows read access to this secret.

The path to the secret referenced in the `path` resource is the same value that you will configure in the  `global.acls.replicationToken.secretName` Helm configuration (refer to [Update Consul on Kubernetes Helm chart](#update-consul-on-kubernetes-helm-chart)).

<CodeBlockConfig filename="replication-token-policy.hcl">

```HCL
path "consul-kv/data/secret/replication-token" {
  capabilities = ["read"]
}
```

</CodeBlockConfig>

Apply the Vault policy by issuing the `vault policy write` CLI command:

```shell-session
$ vault policy write replication-token-policy replication-token-policy.hcl
```

## Create Vault Authorization Roles for Consul

Next, you will create Kubernetes auth roles for the Consul `server-acl-init` job:

```shell-session
$ vault write auth/kubernetes/role/consul-server-acl-init \
    bound_service_account_names=<Consul server service account> \
    bound_service_account_namespaces=<Consul installation namespace> \
    policies=replication-token-policy \
    ttl=1h
```

To find out the service account name of the Consul server,
you can run the following `helm template` command with your Consul on Kubernetes values file:

```shell-session
$ helm template --release-name ${RELEASE_NAME} -s templates/server-acl-init-serviceaccount.yaml hashicorp/consul
```

## Update Consul on Kubernetes Helm chart

Now that you have configured Vault, you can configure the Consul Helm chart to
use the  ACL replication token key in Vault:

<CodeBlockConfig filename="values.yaml">

```yaml
global:
  secretsBackend:
    vault:
      enabled: true
      manageSystemACLsRole: consul-server-acl-init
  acls:
    replicationToken:
      secretName: consul-kv/data/secret/replication-token
      secretKey: token
```

</CodeBlockConfig>

Note that `global.acls.replicationToken.secretName` is the path of the secret in Vault.
This should be the same path as the one you included in your Vault policy.
`global.acls.replicationToken.secretKey` is the key inside the secret data. This should be the same
as the key you passed when creating the  ACL replication token secret in Vault.
